OpenVPN
ssl_backend.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
31 #ifndef SSL_BACKEND_H_
32 #define SSL_BACKEND_H_
33 
34 #include "buffer.h"
35 
36 #ifdef ENABLE_CRYPTO_OPENSSL
37 #include "ssl_openssl.h"
38 #include "ssl_verify_openssl.h"
39 #define SSLAPI SSLAPI_OPENSSL
40 #endif
41 #ifdef ENABLE_CRYPTO_MBEDTLS
42 #include "ssl_mbedtls.h"
43 #include "ssl_verify_mbedtls.h"
44 #define SSLAPI SSLAPI_MBEDTLS
45 #endif
46 
47 /* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */
48 #ifndef SSLAPI
49 #define SSLAPI SSLAPI_NONE
50 #endif
51 
55 struct tls_session;
56 
57 /*
58  *
59  * Functions implemented in ssl.c for use by the backend SSL library
60  *
61  */
62 
71 int pem_password_callback(char *buf, int size, int rwflag, void *u);
72 
73 /*
74  *
75  * Functions used in ssl.c which must be implemented by the backend SSL library
76  *
77  */
78 
83 void tls_init_lib(void);
84 
88 void tls_free_lib(void);
89 
93 void tls_clear_error(void);
94 
104 #define TLS_VER_BAD -1
105 #define TLS_VER_UNSPEC 0 /* default */
106 #define TLS_VER_1_0 1
107 #define TLS_VER_1_1 2
108 #define TLS_VER_1_2 3
109 #define TLS_VER_1_3 4
110 int tls_version_parse(const char *vstr, const char *extra);
111 
118 int tls_version_max(void);
119 
125 void tls_ctx_server_new(struct tls_root_ctx *ctx);
126 
132 void tls_ctx_client_new(struct tls_root_ctx *ctx);
133 
139 void tls_ctx_free(struct tls_root_ctx *ctx);
140 
148 bool tls_ctx_initialised(struct tls_root_ctx *ctx);
149 
161 bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags);
162 
171 void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
172 
181 void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers);
182 
191 void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile);
192 
201 void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups);
202 
210 void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx);
211 
222 void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
223  bool dh_file_inline);
224 
232 void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
233  );
234 
248 int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
249  bool pkcs12_file_inline, bool load_ca_file);
250 
258 #ifdef ENABLE_CRYPTOAPI
259 void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
260 
261 #endif /* _WIN32 */
262 
273 void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
274  bool cert_file_inline);
275 
288 int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
289  bool priv_key_file_inline);
290 
291 #ifdef ENABLE_MANAGEMENT
292 
301 int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx);
302 
303 #endif /* ENABLE_MANAGEMENT */
304 
317 void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
318  bool ca_file_inline, const char *ca_path, bool tls_server);
319 
333 void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx,
334  const char *extra_certs_file,
335  bool extra_certs_file_inline);
336 
337 #ifdef ENABLE_CRYPTO_MBEDTLS
338 
344 void tls_ctx_personalise_random(struct tls_root_ctx *ctx);
345 
346 #endif
347 
348 /* **************************************
349  *
350  * Key-state specific functions
351  *
352  ***************************************/
353 
363 void key_state_ssl_init(struct key_state_ssl *ks_ssl,
364  const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session);
365 
370 void
371 key_state_ssl_shutdown(struct key_state_ssl *ks_ssl);
372 
378 void key_state_ssl_free(struct key_state_ssl *ks_ssl);
379 
388 void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
389  const char *crl_file, bool crl_inline);
390 
391 #define EXPORT_KEY_DATA_LABEL "EXPORTER-OpenVPN-datakeys"
392 #define EXPORT_P2P_PEERID_LABEL "EXPORTER-OpenVPN-p2p-peerid"
393 #define EXPORT_DYNAMIC_TLS_CRYPT_LABEL "EXPORTER-OpenVPN-dynamic-tls-crypt"
394 
406 bool
407 key_state_export_keying_material(struct tls_session *session,
408  const char *label, size_t label_size,
409  void *ekm, size_t ekm_size);
410 
411 /**************************************************************************/
435 int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
436 
452 int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl,
453  const uint8_t *data, int len);
454 
472 int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf);
473 
474 
498 int key_state_write_ciphertext(struct key_state_ssl *ks_ssl,
499  struct buffer *buf);
500 
518 int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf);
519 
524 /* **************************************
525  *
526  * Information functions
527  *
528  * Print information for the end user.
529  *
530  ***************************************/
531 
535 void print_details(struct key_state_ssl *ks_ssl, const char *prefix);
536 
547 void
548 show_available_tls_ciphers_list(const char *cipher_list,
549  const char *tls_cert_profile,
550  bool tls13);
551 
555 void show_available_curves(void);
556 
561 const char *get_ssl_library_version(void);
562 
563 #endif /* SSL_BACKEND_H_ */
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:2212
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition: ssl_openssl.c:1257
key_state_ssl
Definition: ssl_mbedtls.h:128
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:92
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:1271
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:717
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2646
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition: ssl_openssl.c:2502
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1947
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:122
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:104
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition: ssl_openssl.c:2531
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:310
ssl_verify_openssl.h
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:1038
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:99
ssl_verify_mbedtls.h
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1326
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1718
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:2271
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:2286
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition: ssl_openssl.c:149
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition: ssl_openssl.c:207
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:140
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:521
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:2166
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:156
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:2227
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition: ssl_openssl.c:560
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:479
buffer.h
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition: ssl_openssl.c:492
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:620
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition: ssl.c:261
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1798
tls_root_ctx
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:107
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition: ssl_openssl.c:2606
session
Definition: keyingmaterialexporter.c:56
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:2243
ssl_mbedtls.h
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition: ssl_openssl.c:908
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:431
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:656
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition: ssl_openssl.c:430
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:2257
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition: ssl_openssl.c:2206
ssl_openssl.h
Generated by   doxygen 1.8.17